Packet filtering considerations and example, Implicit deny – ADC CUDA 3 User Manual

ADC Telecommunications, Inc.

340

C

HAPTER

15: IP P

ACKET

F

ILTERING

Packet Filtering Considerations and Example

This section reviews the considerations you should keep in mind when
creating packet filters, and provides examples using the access-list and

access-class commands.

When configuring packet filtering, consider the information in the next two
sections.

Implicit Deny

Access lists contain an implicit deny at the end. This means packets for which
no match is found are rejected. When more than one access list is applied to
an interface, non-matching packets are compared to the access-list with the
next highest priority. If a match is still not found, the packet is matched
against the next access list. If, after applying the packet to the final access list
on an interface, a match is not found the packet is dropped.

For example, the following access list will cause all IP packets to be rejected:

cli:172.16.19.10:interface:pos:csi(1/3/1)# access-list

2 deny 1 ip 172.16.19.20 0.0.0.0 any

Because that is the only rule defined in the list, the composition of access list
2 is currently:

deny 172.16.19.20 any

deny any any

All packets are rejected because any 172.16.19.20 source destination is
denied, as well as any packets not matching the 172.16.19.20 due to the
implicit deny. To solve this, place a permit any statement in the list as follows:

cli:172.16.19.10:interface:pos:csi(1/3/1)# access-list

2 permit 2 ip any any

Access list 2 is now comprised of the following rules:

deny 172.16.19.20 any

permit any any

deny any any